Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent

Resolves: rhbz#2052819
2022-02-21 20:10:10 +00:00 · 2022-02-21 20:10:10 +00:00 · adde3ad33b
parent 37c16ffafe
commit adde3ad33b
2 changed files with 106 additions and 1 deletions
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@ -334,7 +334,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        8
-%global rpmrelease      5
+%global rpmrelease      6
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
 # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -1242,6 +1242,7 @@ Patch1013: rh1991003-enable_fips_keys_import.patch
 # RH2021263: Resolve outstanding FIPS issues
 Patch1014: rh2021263-fips_ensure_security_initialised.patch
 Patch1015: rh2021263-fips_missing_native_returns.patch
+Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch

 #############################################
 #
@ -1674,6 +1675,7 @@ popd # openjdk
 %patch1013
 %patch1014
 %patch1015
+%patch1016

 # Extract systemtap tapsets
 %if %{with_systemtap}
@ -2446,6 +2448,10 @@ cjc.mainProgram(args)
 %endif

 %changelog
+* Mon Feb 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-6
+- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
+- Resolves: rhbz#2052819
+
 * Fri Feb 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-5
 - Fix FIPS issues in native code and with initialisation of java.security.Security
 - Resolves: rhbz#2023531
--- a/rh2021263-fips_separate_policy_and_fips_init.patch
+++ b/rh2021263-fips_separate_policy_and_fips_init.patch
@ -0,0 +1,99 @@
+commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
+Author: Andrew Hughes <gnu.andrew@redhat.com>
+Date:   Tue Jan 18 02:09:27 2022 +0000
+
+    RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
+
+diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
+index 28ab1846173..f9726741afd 100644
+--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
+@@ -61,10 +61,6 @@ public final class Security {
+     private static final Debug sdebug =
+                         Debug.getInstance("properties");
+ 
+-    /* System property file*/
+-    private static final String SYSTEM_PROPERTIES =
+-        "/etc/crypto-policies/back-ends/java.config";
+-
+     /* The java.security properties */
+     private static Properties props;
+ 
+@@ -206,22 +202,36 @@ public final class Security {
+             }
+         }
+ 
+        if (!loadedProps) {
+            initializeStatic();
+            if (sdebug != null) {
+                sdebug.println("unable to load security properties " +
+                        "-- using defaults");
+            }
+        }
+
+         String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+         if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
+             "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
+-            if (SystemConfigurator.configure(props)) {
+-                loadedProps = true;
+            if (!SystemConfigurator.configureSysProps(props)) {
+                if (sdebug != null) {
+                    sdebug.println("WARNING: System properties could not be loaded.");
+                }
+             }
+         }
+ 
+-        if (!loadedProps) {
+-            initializeStatic();
+        // FIPS support depends on the contents of java.security so
+        // ensure it has loaded first
+        if (loadedProps) {
+            boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
+             if (sdebug != null) {
+-                sdebug.println("unable to load security properties " +
+-                        "-- using defaults");
+                if (fipsEnabled) {
+                    sdebug.println("FIPS support enabled.");
+                } else {
+                    sdebug.println("FIPS support disabled.");
+                }
+             }
+         }
+-
+     }
+ 
+     /*
+diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+index 874c6221ebe..b7ed41acf0f 100644
+--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -76,7 +76,7 @@ final class SystemConfigurator {
+      * java.security.disableSystemPropertiesFile property is not set and
+      * security.useSystemPropertiesFile is true.
+      */
+-    static boolean configure(Properties props) {
+    static boolean configureSysProps(Properties props) {
+         boolean loadedProps = false;
+ 
+         try (BufferedInputStream bis =
+@@ -96,11 +96,19 @@ final class SystemConfigurator {
+                 e.printStackTrace();
+             }
+         }
+        return loadedProps;
+    }
+
+    /*
+     * Invoked at the end of java.security.Security initialisation
+     * if java.security properties have been loaded
+     */
+    static boolean configureFIPS(Properties props) {
+        boolean loadedProps = false;
+ 
+         try {
+             if (enableFips()) {
+                 if (sdebug != null) { sdebug.println("FIPS mode detected"); }
+-                loadedProps = false;
+                 // Remove all security providers
+                 Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
+                 while (i.hasNext()) {